* WIP - Teddy's webinar
* WIP
* Added more details with diagram
* Fixed a typo
* Added a note about terraform bug with 0.11.4 & 0.11.5
* Minor adjustment
* Fixed typos
* Added matching CLI commands
* Added extra speace for readability
* add require_cn to pki roles
* add policy_identifiers and basic_constraints_valid_for_non_ca to pki role form
* add new fields to the PKI docs
* add add_basic_constraints field
* WIP
* Added auto unseal
* Converting to a guide
* Added little more explanations
* Minor fixes
* Fixed a typo
* Fixed a typo
* Changed auto unseal to auto-unseal
* Found more typo... fixed
It is slightly confusing to have the first example include a key named "Value". This can create a slight hump to grokking what's happening in this early step of the README. Here we rename the key to "foo" to help indicate it's dynamic nature.
* Vault HA guide draft
* Fixed node_id to say node_name based on Brian's input
* Fixed the unwanted hyperlink
* Vault HA guide
* Updated the description of the Vault HA guide
* Typo fixes
* Added a reference to Vault HA with Consule guide
* Incorporated Teddy's feedback
* Fixed an env var name
* Vault configuration has been updated: 'api_addr'
We ran into some confusion about what we should be setting the api_addr config value to. I feel this general recommendation should nudge any others into a better understanding of what this value should point to.
* Adding new guides
* Replaced backend with engine
* Grammar for the encryption guide
* Grammar and Markdown style for the Transite Rewrap guide
See
https://github.com/hashicorp/engineering-docs/blob/master/writing/markdown.md
for notes on numbered Markdown lists.
* grammar and wording updates for ref arch guide
* Updating replication diagram
* Removing multi-tenant pattern guide
* Added a note 'Enterprise Only'
* Removing multi-tenant pattern guide
* Modified the topic order
* Grammar and Markdown formatting
* Grammar, Markdown syntax, and phrasing
* Grammar and Markdown syntax
* Replaced 'backend' with appropriate terms
* Added a note clarifying that replication is an enterprise-only feature
* Updated the diagram & added additional resource links
* update some grammar and ordering
* Removed the inaccurate text in index for EaaS
* Update aws auth docs with new semantics
Moving away from implicitly globbed bound_iam_role_arn and
bound_iam_instance_profile_arn variables to make them explicit
* Refactor tests to reduce duplication
auth/aws EC2 login tests had the same flow duplicated a few times, so
refactoring to reduce duplication
* Add tests for aws auth explicit wildcard constraints
* Remove implicit prefix matching from AWS auth backend
In the aws auth backend, bound_iam_role_arn and
bound_iam_instance_profile_arn were ALWAYS prefix matched, and there was
no way to opt out of this implicit prefix matching. This now makes the
implicit prefix matching an explicit opt-in feature by requiring users
to specify a * at the end of an ARN if they want the prefix matching.
* auth/aws: Allow binding by EC2 instance IDs
This allows specifying a list of EC2 instance IDs that are allowed to
bind to the role. To keep style formatting with the other bindings, this
is still called bound_ec2_instance_id rather than bound_ec2_instance_ids
as I intend to convert the other bindings to accept lists as well (where
it makes sense) and keeping them with singular names would be the
easiest for backwards compatibility.
Partially fixes#3797
If you try to use role authorization to get an STS token, you'll get this error:
* Error generating STS keys: AccessDenied: Cannot call GetFederationToken with session credentials
In the authentication section of the getting started doc, the token used
to login doesn't match with the one displayed as the command result.
This commit makes sure that both tokens correspond to avoid distracting
newcomers.
* Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs
* docs: Add ttl params to auth enable endpoint
* Rewording of go string to simply string
* Add audit hmac keys as CLI flags on auth/secrets enable
* Fix copypasta mistake
* Add audit hmac keys to auth and secrets list
* Only set config values if they exist
* Fix http sys/auth tests
* More auth plugin_name test fixes
* Pass API values into MountEntry's config when creating auth/secrets mount
* Update usage wording
* auth/aws: Allow lists in binds
In the aws auth method, allow a number of binds to take in lists
instead of a single string value. The intended semantic is that, for
each bind type set, clients must match at least one of each of the bind
types set in order to authenticate.
* Add the ability to use multiple paths for capability checking. WIP
(tests, docs).
Fixes#3336
* Added tests
* added 'paths' field
* Update docs
* return error if paths is not supplied
* Consul service address is blank
Setting an explicit service address eliminates the ability for Consul
to dynamically decide what it should be based on its translate_wan_addrs
setting.
translate_wan_addrs configures Consul to return its lan address to nodes
in its same datacenter but return its wan address to nodes in foreign
datacenters.
* service_address parameter for Consul storage backend
This parameter allows users to override the use of what Vault knows to
be its HA redirect address.
This option is particularly commpelling because if set to a blank
string, Consul will leverage the node configuration where the service is
registered which includes the `translate_wan_addrs` option. This option
conditionally associates nodes' lan or wan address based on where
requests originate.
* Add TestConsul_ServiceAddress
Ensures that the service_address configuration parameter is setting the
serviceAddress field of ConsulBackend instances properly.
If the "service_address" parameter is not set, the ConsulBackend
serviceAddress field must instantiate as nil to indicate that it can be
ignored.
* Verify DNS SANs if PermittedDNSDomains is set
* Use DNSNames check and not PermittedDNSDomains on leaf certificate
* Document the check
* Add RFC link
* Test for success case
* fix the parameter name
* rename the test
* remove unneeded commented code
